TimeRecord← Back home

Privacy Policy

Version 1 — DRAFT · 2026-05-06

This policy is in draft pending the operating-entity decision. The data practices below already reflect what the product does today.

Operator: Ayman (sole proprietor) — contact: aayman.aid@gmail.com Product: TimeRecord — Chrome extension and web app at timerecord.app

1. What we collect

From the Chrome extension (Free + Premium):

  • Root domain (e.g., figma.com) of the active browser tab while the timer is ON.
  • Page title of the active tab.
  • Time durations associated with the user-selected Client and Task.
  • Idle status from the browser (active / idle) — never keystrokes or mouse content.

We never collect:

  • Full URLs or query strings.
  • Page contents.
  • Domains the user has added to the privacy blacklist.
  • Browsing data when the timer is OFF.

From the web app (Premium only):

  • Email address (for authentication).
  • Encrypted authentication tokens.
  • Subscription status (received from Lemon Squeezy webhook).
  • Your display name — auto-extracted from your OAuth provider (Google sign-in) on first login, or supplied by you when prompted on the dashboard. Stored to greet you and to label PDF reports / future invoices.

From the web app (Premium-only, Calendar Sync feature — opt-in):

  • OAuth refresh and access tokens for any calendar provider you connect (Google Calendar, Outlook Calendar). Tokens are encrypted at rest with AES-256-GCM before being written to the database.
  • The email address of the connected calendar account (so we can show you which account is currently connected).
  • Calendar event metadata (event title, start time, end time, all-day flag) is read on demand from the provider when you view /dashboard/calendar or /dashboard. It is rendered in your browser and never persisted to our database.

2. Why we collect it

  • To produce accurate timesheets — the core product feature.
  • To authenticate Premium users.
  • To process subscriptions (delegated to Lemon Squeezy as Merchant of Record).

Lawful basis under GDPR: performance of contract for paid features; legitimate interest for the free extension's local-only tracking.

3. Where data lives

  • Free tier: entirely on the user's device via chrome.storage.local. Nothing leaves the browser.
  • Premium tier: synced to our backend hosted in the EU (Supabase, region eu-central-1 / Frankfurt).
  • Calendar sync (opt-in, Premium): OAuth tokens are stored encrypted at rest in our EU backend. Calendar event metadata is read on demand from your provider's API and is never written to our database. You can disconnect any time at /dashboard/settings → Calendar sync, which deletes the stored tokens and (best-effort) revokes them at the provider.
  • Payments: Lemon Squeezy (Merchant of Record). They store name, billing address, and tax data — we receive only the email and subscription state.
  • Operator access (administration): the service operator has technical read access to all stored account data (email, sign-up date, last sign-in, plan and subscription status, clients/projects/tasks/entries/invoices you create on the Premium tier, and any OAuth tokens you have connected) for the purposes of support, billing reconciliation, fraud prevention, and aggregate analytics. Operator access is gated to a small allowlist of operator user IDs and is mediated through the same database that powers your account. Operator access is never used to view individual users' content for any purpose other than the ones above.

4. Sub-processors

ProviderPurposeRegion
SupabaseAuth + database for PremiumEU (Frankfurt — eu-central-1)
CloudflareWeb app hosting (Workers + Static Assets) and edge cache for timerecord.appGlobal edge (EU points-of-presence prioritised for EU visitors)
ResendOutbound email for magic-link sign-in (only when you request a sign-in link)EU
Google LLCSign in with Google (when you use it) and read-only Google Calendar access (when you opt in to Calendar sync)US (standard Google DPA terms apply)
Microsoft CorporationRead-only Outlook Calendar access via Microsoft Graph (when you opt in to Calendar sync)US / EU (Microsoft Online Services DPA terms apply)
Lemon SqueezyPayments, invoicing, taxUS (DPA in place)

5. Your rights (GDPR)

  • Access, rectify, delete, or export your data.
  • Withdraw consent at any time.
  • Disconnect any calendar provider at /dashboard/settings → Calendar sync. Disconnect deletes the stored OAuth tokens for that provider and (best-effort) revokes them with the provider.
  • Delete your account at /dashboard/settings → Danger zone → Delete account. This permanently wipes your account and all associated data (clients, projects, tasks, time entries, profile, OAuth tokens, subscription record) via cascading delete.
  • Lodge a complaint with your local Data Protection Authority.

To exercise any right, email aayman.aid@gmail.com or use the in-app actions above.

6. Retention

  • Free tier: until the user clears extension storage.
  • Premium tier: while the account is active. Deleted within 30 days of account deletion.
  • Calendar sync tokens: kept while you remain connected. Deleted immediately when you disconnect or delete your account.
  • Calendar event data: never stored, so there is nothing to retain. Events are fetched at the moment you view them and discarded after the page renders.
  • Backups: rolling 30-day encrypted backups, then purged.

7. Security

  • TLS in transit, encryption at rest (provider default).
  • OAuth refresh and access tokens for connected calendar accounts are additionally encrypted at the application layer with AES-256-GCM before being written to the database, using a key held only in our hosting environment's secret store.
  • No third-party trackers on the extension.
  • Periodic security review — see Security.md.

8. Children

TimeRecord is not directed at children under 16. We do not knowingly collect data from children.

9. Changes

We will append new versions to this document. Past versions remain visible.

10. Contact

aayman.aid@gmail.com

Change log

  • 2026-04-26 — v1 drafted (not yet published — placeholder pending domain + backend choice).
  • 2026-05-06 — §3 backend locked to Supabase (per ADR-004); §4 sub-processors updated: Vercel removed, Cloudflare added (per ADR-009 — apps/web deploys to Cloudflare Workers via @opennextjs/cloudflare). Still v1 DRAFT pending operating-entity confirmation before publishing.
  • 2026-05-29 — Calendar Sync + Google sign-in went live, plus auth polish (display name capture, account deletion via Danger zone). Sections updated:
    • §1 — added a Calendar Sync sub-section documenting OAuth tokens (encrypted at rest) and calendar event metadata (read on demand, never persisted); added "display name" to the web-app data list with its OAuth-or-prompt collection path.
    • §3 — added a Calendar Sync bullet covering token storage location, on-demand event read, and the user-initiated disconnect path.
    • §4 — added Google LLC (Sign in with Google + Calendar API), Microsoft Corporation (Outlook Calendar via Microsoft Graph), and Resend (outbound magic-link email) to the sub-processor table.
    • §5 — added explicit "Disconnect calendar provider" and "Delete account" rights with the in-app paths.
    • §6 — added retention bullets for calendar sync tokens (deleted on disconnect) and calendar event data (never stored).
    • §7 — added explicit AES-256-GCM application-layer encryption note for OAuth tokens. Still v1 DRAFT pending operating-entity confirmation before publishing.
  • 2026-06-02 — §3 gained an explicit Operator access (administration) bullet documenting the operator's read access to account-level data (email, plan, subscription status, tracked entities, OAuth tokens) for support / billing / fraud / aggregate analytics purposes. Surfacing this matches the new /admin/* panel that gives the operator a structured view of users, subscriptions, and revenue. Allowlist-gated via ADMIN_USER_IDS; non-admins are redirected. Still v1 DRAFT pending operating-entity confirmation before publishing.